Fine tuning your internal controls with COSO 14 June 2019 COSO Overview Updated Internal Controls framework Contents The CPAs role in maintaining security and promoting data privacy PwC Summary of key updates Impact of COSO to business Q&A Protection Let us know, which among the words comes into your mind first when you think about internal controls? Necessary Compliance Task Barrier Override Fine tuning your internal controls with COSO PwC 3 Internal control is a process, effected by an entity’s board of directors, management, and other personnel designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance Definition under the 2013 COSO Internal Control – Integrated Framework Fine tuning your internal controls with COSO PwC Geared to the achievement of objectives A process Effected by people Provide reasonable assurance Adaptable to the entity structure 4 What is COSO Internal Control Integrated Framework? In 1992, COSO published the original IC Framework (authored by PwC), which allows the management of an organization to • establish, • monitor, • evaluate, and • report on internal control. The original IC Framework has gained widespread acceptance and use worldwide. In 2013, COSO published the updated IC Framework (also authored by PwC) to ease use and application, • considering changes in business and operating environments, • articulating principles and clarifying requirements for effective internal control, and • encouraging users to apply internal control to additional objectives. Fine tuning your internal controls with COSO PwC 5 COSO’s Internal Control and Enterprise Risk Frameworks Internal Control – Integrated Framework (2013) Enterprise Risk Management – Integrated Framework (2018) • Both framework adopt principles driven approach thus are suitable to most entities • Geared towards seeking greater transparency and accountability • Consider the increasing complexity and technological advancements of business environment Fine tuning your internal controls with COSO PwC 6 Updated IC framework eases use and application Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Demonstrates commitment to competence Enforces accountability Specifies suitable objectives Identifies and analyzes risks Assess fraud risk Identifies and assesses significant changes Control Activities Selects and develops control activities Selects and develops general controls over technology Deploys controls through policies and procedures Information and Communication Generates/obtains and uses information Communicates internally Communicates externally Monitoring Activities Performs ongoing and/or separate control evaluations Evaluates and communicates control deficiencies Control Environment Risk Assessment Fine tuning your internal controls with COSO PwC Establishes structure, authority, and responsibility 7 Summary of key updates • Core definition of internal control What is NOT fundamentally changing? • Three categories of objectives and five components of internal control • Each of the five components of internal control are required for effective internal control • Important role of judgment in designing, implementing and conducting internal control, and in assessing its effectiveness Fine tuning your internal controls with COSO PwC 8 Summary of key updates Update articulates principles as important characteristics of the components of internal control • Principles are suitable and presumed relevant for all entities 5 Components • Principles can support achievement of a single, multiple, or overlapping objectives 17 Principles Points of focus Controls Fine tuning your internal controls with COSO PwC • When principles are present and functioning, objectives are specified with sufficient clarity to assess risk and deploy controls to mitigate risk to acceptable level • Applying principles provides a basis for checking what’s covered and what’s missing across the business—including dispersed and outsourced operations 9 Summary of key updates – what IS changing? Control Environment • Governance- Management’s philosophy and operating style • Linkages between various components of internal control • Organizational structure • Integrity and ethical values • Linking risk and performance • Organizational complexities • Roles and responsibilities alignment Fine tuning your internal controls with COSO PwC 10 Summary of key updates – what IS changing? Risk Assessment • Risk assessment process • Risk severity • Risk tolerances • Impact of internal and external factors • Fraud risk Fine tuning your internal controls with COSO PwC 11 Summary of key updates – what IS changing? Control Activities • Evolution of technology • Automated controls vs. general controls over technology • Control techniques • General technology controls • Policies and procedures vs. control activities Fine tuning your internal controls with COSO PwC 12 Summary of key updates – what IS changing? Information and Communication • Information quality • External reporting information • Information protection and reliability • Information volumes and sources • Impact of technology • Communication with third parties Fine tuning your internal controls with COSO PwC 13 Summary of key updates – what IS changing? Monitoring • Monitoring activities terminology • Establishing evaluations • Technology and service providers use Fine tuning your internal controls with COSO PwC 14 What are driving the focus on internal controls? Impact of COSO to your business, stakeholders, and users Fine tuning your internal controls with COSO PwC Consequences of control failurefinancial, reputational, regulatory Accelerating pace of business change Complex, interconnected businesses and systems Complexity of “extended enterprise” These factors are pushing us to rethink about controls Desire for common standards (and efficiencies) Increased regulatory scrutiny and stakeholder demand Governance effectiveness requirements (Board requirement) Digitisation/ technological advancements 15 01. Structure and Governance 02. Communication, culture and training Design principles of a target operating model for internal controls 03. Roles and responsibilities 04. Processes 05. Tools, technology and reporting 06. Working groups and integration 07. Accountability and performance management Fine tuning your internal controls PwC 16 01. Structure and governance Design principles of a target operating model for internal controls • • Clear responsibility for oversight and assurance of business controls. • Divorcing control operation and control review providing reliable and quantifiable independent assurance that is suitable for audit leverage. • A simplified structure that reduces the risk created through multiple hand-offs. Fine tuning your internal controls with COSO PwC 17 02. Communication, culture and training Design principles of a target operating model for internal controls • • A behaviour and cultural shift in line with the seven critical behaviours. • Business sees value in controls through greater understanding. • Clear understanding of process and control principles (e.g. detective/preventative and good control design). Fine tuning your internal controls with COSO PwC 18 03. Roles and responsibilities Design principles of a target operating model for internal controls • • Risk owners have clear understanding of the risk and how this is mitigated through controls. • Clear roles and responsibilities for controls going through business change. • SMART objectives set, and agreed, for each Risk and Control resource Fine tuning your internal controls with COSO PwC 10 04. Processes Design principles of a target operating model for internal controls • • Consistent approach and focus to the management of risks and controls across the business. • Documentation standards and guidelines. • Fundamental processes captured and operational (e.g. Business change, reporting, incident management, training etc...). Fine tuning your internal controls with COSO PwC 11 05. Tools, technology and reporting Design principles of a target operating model for internal controls • • Effective use of an appropriate tool(s). • Leveraging existing sources of best practice. • Company technology resources and future system landscape. • Automation of control. • Effective dashboard reporting. Fine tuning your internal controls with COSO PwC 21 06. Working groups and integration Design principles of a target operating model for internal controls • • An awareness and clarity of the risk and response managed by the 1st line. • Transparency in process and reporting so there is one view of the truth that is appropriate at all levels. • Strong relationships and engagement within the business. Fine tuning your internal controls with COSO PwC 22 07. Accountability and performance management • Clear accountability for controls and control failures within 1st line Design principles of a target operating model for internal controls • • Clear accountability for risks (understanding of risk appetite and risk impact to the business). • Incremental steps to embedding accountability and changing the culture. Progress mapped against these steps. • Consistent reporting of leading indicators in control design and effectiveness. • Internal control objectives within Business Unit plans and Director objectives as appropriate Fine tuning your internal controls with COSO PwC 23 Accounting and reporting changes These are the potential lead indicators for control failures Reliance on selfassessment Governance Fine tuning your internal controls with COSO PwC PwC Usually prolonged success Reliance on management integrity Autonomy and override Over reliance on 3rd line of defense Wide scope for local interpretation Dominant management style Inadequate resourcing 24 Identifying controls Objective Fine tuning your internal controls with COSO PwC Risk Control Alignment 25 In practice, stakeholder engagement and control design are key in achieving control effectiveness Fine tuning your internal controls with COSO PwC 1. Context and stakeholder engagement Understand the current state, engage with stakeholders, agree the process objectives and risk appetite 2. Process, risk and controls review 3. Interpret, feedback and validation 4. Update and report Walkthrough endto-end process and identify risk sources. Understand key controls currently in place at the process level Determine the right controls, using risk assessment, appetite and control objectives. Identify potential improvements, gaps or incomplete controls A process for updating, iterating and improving the control environment 26 26 A strategic perspective on internal control Fine tuning your internal controls with COSO PwC Internal control empowers employees Internal control helps in achieving important objectives Internal control is dynamic and changes with the business 27 27 Questions? Thank you! pwc.com/ph This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, Isla Lipana & Co., its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2019 Isla Lipana & Co. All rights reserved. In this document, “PwC” refers to Isla Lipana & Co. which is the Philippine member firm of PwC network, each member firm of which is a separate legal entity. Please see www.pwc.com/structure for further details.
